A method for determining typical time characteristics of security events based on statistical data for correlation analysis tasks

The article presents a method for determining typical time parameters of information security events based on the analysis of event logs. The method is focused on processing inter-event intervals and makes it possible to identify characteristic temporal patterns of functioning of sources of security events. The proposed approach includes sampling time intervals, identifying the structural gap between event and inter-session intervals, filtering outliers using the interquartile range, and determining typical values based on clustering and group analysis. To account for the variability of the data, an estimate of the mean and standard deviation is used, followed by a division into interval windows. A numerical experiment has been conducted based on data from real-world event logs, confirming the method’s operability when analyzing sources with different event generation rates. The experiment was conducted on logs of the OPC server, Windows Server, PostgreSQL database management system. The results obtained demonstrate the method’s stability to outliers, multimodal distributions, and the presence of zero intervals. The developed method can be used in the construction of correlation rules in SIEM systems, as well as in the tasks of behavior analysis and detection of anomalies in the information security infrastructure.